Set minimum permissions for workflows #10055
Labels
priority: p2
Moderately-important priority. Fix may not be included in next release.
type: feature request
‘Nice-to-have’ improvement, new feature or different behavior or design.
Thanks for stopping by to let us know something could be better!
PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.
Is your feature request related to a problem? Please describe.
GitHub workflows are granted high permissions by default. Permissions that allow, for example, to delete your source code and publish releases. The permissions can be exploited by malicious actions run in the workflow or malicious PRs if run on
pull_request_target
.Describe the solution you'd like
Set restricted permissions to run GitHub workflows or declare minimum permissions in the workflows.
e.g.
permissions: contents: read
for workflows that only need to doactions/checkout
.Describe alternatives you've considered
None.
Additional context
My name is Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes.
The text was updated successfully, but these errors were encountered: